Main menu

Tor at the Heart: Security in-a-Box

This is one of a series of periodic blog posts where we highlight other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Please support the Tor Project! We're at the heart of Internet freedom.Donate today!

Security in-a-Box

More than ten years ago, Tactical Tech and Front Line Defenders started providing digital security trainings for human rights defenders at risk around the world. Soon thereafter, they created Security in-a-Box to supplement those trainings and to support self-learning and peer-education among those defenders.

Security in-a-Box offers general advice and practical walkthroughs designed to help its users secure their digital information and communication by choosing the right software and integrating it into their daily lives.

Hands-on guides

Security in-a-Box offers a number of Tool Guides that explain step-by-step how to download, install, and use digital security tools on Linux, Windows, Mac OS X, and Android. Some of these guides that were recently updated in 11 languages include:

Tips and Tactics

As digital security is a process that extends well beyond the adoption of specific tools, Security in-a-Box also offers Tactics Guides that propose new ways of thinking about security and recommend practices that might strengthen it. Some of these include:

Community

Over the years, a community of digital security trainers, editors, translators, and privacy advocates has sprung up around Security in-a-Box. Many digital security trainers from Africa, Latin America, Central and Southeast Asia, Europe and North America rely on Security in-a-Box for their trainings and contribute to its development.

Thanks to the project’s community translators, Security in-a-Box is published in 17 different languages. Recently updated translations include: Arabic, Spanish, Farsi, French, Indonesian, Portuguese, Russian, Thai, Turkish, Vietnamese and Chinese. As a result, Security in-a-Box reaches well over a million people each year with advice on digital security, online privacy and censorship circumvention.

None of this would have been possible without the work of the software developers who create these tools in the first place, and to whom we are extremely grateful. Donate to the Tor Project today!

Written by Maria Xynou (Tactical Tech) and Wojtek Bogusz (Front Line Defenders)

Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers. Still now everyone knows that what we long feared is true: FBI agents do not need to seek any warrants or to ever tell any judge if they want to target anyone who they believe is "engaged in the development of communications security practices":

> According to the guide, an online counterterrorism investigation can target websites or online networks that the FBI believes terrorists are using “to encourage and recruit members” or to spread propaganda. Such probes may extend to the administrators or creators of those forums, as well as people engaged in “the development of communications security practices” or “acting as ‘virtual couriers’ for terrorist organizations by passing online messages among members or leadership.”

Individual FBI agents are given very wide latitude in how to interpret these manuals, so some of them probably consider that anyone operating a Tor node is "acting as a virtual courier".

> Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers.
mismatch : it is coming from an ancient law (uk usage) : 'legitimate suspicion' still applied since several centuries ; nothing to do with terrorism or FBI or internet, (it is only used against genuine people usually so the "trump ban" is not involved.).
In fact this law is became a standard in the rogue state and where mafioso / military force became the "legitimate government" _ nothing to do with usa (e.u & arab & east countries are a better example) ...

pidgin is recommended but who has 100 correspondents & could say : it is safe & no one know whom and why & where i use it ?
* i tried it several time for communicating with few 'unknown' friends but i was not a target.

"Other Tool Guides cover setting up a Riseup email account,"
Not a good idea. Riseup may have been compromised.
Even if users use pgp, admins of a email server can know, who is talking to who, and all contacts in address book. What time user online.

From article:
""Due to Thanksgiving and other deadlines, our lawyers were not available to advise us on what we can and cannot say," the collective member told me. "So in the interest of adopting a precautionary principle, we couldn’t say anything. Now that we have talked to [counsel], we can clearly say that since our beginning, and as of this writing, riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.""

"And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly."

> There is an excellent freeware anti-virus program for Windows called Avast, which is easy to use, regularly updated and well-respected by anti-virus experts. It requires that you register once every 14 months, but registration, updates and the program itself are all free-of-charge.

I'm not an employee of Tor Project, just a user, but I'll take a stab at this:

> Why there's some usa and UK ip-ranges in tor circuits?

The Tor network relies upon volunteers who provide Tor nodes at their own expense. Many of them live in the US/UK, and cheap rates are often available for servers in the US/UK. Further Tor is not yet outright illegal in the US/UK (although that might soon change). Hence it is not surprising that many Tor nodes are in the US/UK.

The country which hosts the most Tor nodes is currently FR, by the way. Because that nation has enacted a law which appears to mandate backdoors in "mobile devices", I am not sure how legal it is to operate a Tor node in FR, but I assume it must still be legal, if only just barely so.

> As far as I know the whole usa and UK is under control of NSA.

That's quite a leap. It would be more true to say that NSA maintains an illicit presence in many, even most, IXs, national backbones, commercial telecoms/ISP networks, banking networks, around the world, for the purpose of cyberespionage/cyberwar. As such NSA is virtually a "global adversary", of the kind which, in past years, Tor traditionally did not attempt to defend against.

However, many ordinary people, NGOs, and even government officials in the US/UK oppose the rapid growth and "normalization" of the technostasi in these formerly democratic nations, and NSA (and allied actors) cannot easily deter them all from speaking out.

Ideally, there would exist many "safe haven" nations which encourage people to run Tor nodes without interferrence, and if that were true, it would indeed make sense to try to encourage volunteers to set up nodes in such nations. But alas, it is not true--- as all the "Western" governments appear to be turning in unison to abandon the ideals of the Enlightenment in order to adopt a peculiarly vicious new form of technologically enabled fascism, there are perhaps no "safe havens" left.

That is why every citizen of every nation has a duty to resist government oppression, even though this puts them at severe risk of retaliation: if adults don't resist today, life in a police state will become unbearable for our children by the time they become adults, if indeed they do not become victims of the genocides for which figures like Trump are plainly preparing the way.

> So where is the logic of using tor browser that is controlled by NSA?

Again, quite a leap. NSA's illicit presence in numerous networks implies that it can "easily" collect packets as they (i) pass between a user and an ISP gateway to a Tor entry guard (ii) pass from an entry guard to a Tor relay node (iii) pass from a Tor relay node to a Tor exit node (iv) pass from a Tor exit node to a destination server. However, because tor circuits are strongly encrypted as per the basic idea of the "onion" design, NSA may not be able to easily read the underlying plaintext.

It is true that NSA has poured enormous resources into illegally accessing all manner of electronic devices, no doubt including Tor nodes, all over the world, and is also suspected of itself operating some nodes for illicit purposes, but this makes them a criminal adversary of the Tor network, not a "controller" of the Tor network.

And while NSA's power and resources are indeed frightful, the agency is struggling under complex problems which tends to reduce or even undermine its real-world capabilities.

It would be better to think of it like this: NSA is a deadly enemy, in fact the enemy of the entire world (even the US), but Tor is a powerful force for good which is helping to prevent them from too easily grabbing everything they want "because they can".

> https://boingboing.net/2017/02/15/title-italy-unveils-a-law-pro.html
bullshit !
Nothing to with terrorism or maffia ; they do not need a trojan !
In fact since dalla chiesa period , their methods are well known and never did or do attack the civil rights !
uk or us laws are not italians laws : misinformation & fake news are polluting the web.
The article (follow the italian link above pls) is about police force and judges who are working on the side of the organized crime and are afraid to be behind the bars : they are legalizing illegal methods - (romania tried to do the same about corruption few days ago).

I don't know if the developers will read this I not going out of my way to inform them using other methods of communication than this, means no email or otherwise etc. Simple things like that there should be easy to access feedback that doesn't need a sign-up or sign-in etc. If you know how to contact them tell them of this feedback. I post here instead.

First impression with Tor v6.5 FUGLY well that is firefox fault they lost the plot years ago when they wanted everything mobile like YUK. Anyway at least it is not google or its clones or should that be opera and its clones. Nor thankfully is it IE.

Big FUG is the wasted space at the top of the browser stealing desktop space so less screen to read web pages. Firefox there's no need for this whatsoever, go back to v2 and take another look that browser was far better than is now. That FuckFox out of the way now on with Tor.

The older tor could easy let me choose any country from a panel list. With this version needs to keep pressing new circuit. Yes sure exit nodes and all that crap what do I care for the setting they should be available in the browser Tor settings since no one or the many will never use them including myself.

Suggest have again the old panels that used to be so able to adjust country instead of cycling new circuit with a hope of getting the country correct. This is poor foresight and lack of thought. Or how about have a drop list on new circuit where we can pick the country we need as an IP.

These are the major first gripes I guess I hate this Tor and the old one is far superior and far simpler to understand.

And what does it mean for min security slider no security but has NoScript unknown and not going to look for that either. That should be on the security slider details as is with the other two settings. Again poor lack of forethought, foresight and planning. And how many people are involved with Tor surely someone must have suggested these things to make using tor easy and more enjoyable.

At least it starts quicker than the old Tor but I would expect that with amount of time in between the versions.

Someone inform the Tor developers so they can come and read copy and inform other developers. And rightly so then delete this once they have the information.

Why is there no way to chat live with tor or not to Tor this is what would be expected. Or at least a feedback panel like this here. But then maybe Tor are thinking to many people would write to complain and rightly so.

Anyway thanks for keeping Tor going it has gone backwards dumbed down. The old version a young 4 year old could easily use it, I guess with this version it would be less so.

Don't shoot the messenger I am trying to help Tor to be better than it is now using this feedback.

I think it's terribly important that Tor Project to everything it can to encourage more people to use Tor. At times this might lead to minor (or even major) design decisions which seem repugnant to we long-time users (or even a bit scary, e.g. the lowballed default settings in the security slider). It probably helps to bear in mind that every design decision involves tradeoffs. In the case of Tor, the most difficult and hardest to avoid include tradeoffs between usability/security, security/anonymity, simplicity/complexity (maybe just a different way of restating the usability/security issue), boldness/risk-aversiveness. Not only Tor coders but Tor users must continually make this kind of tradeoff.

yeh, I agree with you about mobile like fugly UI, plus it glitching and slower than the previous versions but with all the advanced options that you need without necessarily getting into the about:config.

They shall left the previous (windows 95 like or win2k, whatever) UI for ppl to decide what better to use.

Everything is terribly conspirative these days and fugly simplified, that's the point.

Recent Updates

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.0.1-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by the end of the month.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.0.1-alpha is the first release in the new 0.4.0.x series. It introduces improved features for power and bandwidth conservation, more accurate reporting of bootstrap progress for user interfaces, and an experimental backend for an exciting new adaptive padding feature. There is also the usual assortment of bugfixes and minor features, all described below.

Changes in version 0.4.0.1-alpha - 2019-01-18

Major features (battery management, client, dormant mode):

When Tor is running as a client, and it is unused for a long time, it can now enter a "dormant" state. When Tor is dormant, it avoids network and CPU activity until it is reawoken either by a user request or by a controller command. For more information, see the configuration options starting with "Dormant". Implements tickets 2149 and 28335.

The client's memory of whether it is "dormant", and how long it has spent idle, persists across invocations. Implements ticket 28624.

There is a DormantOnFirstStartup option that integrators can use if they expect that in many cases, Tor will be installed but not used.

Major features (bootstrap reporting):

When reporting bootstrap progress, report the first connection uniformly, regardless of whether it's a connection for building application circuits. This allows finer-grained reporting of early progress than previously possible, with the improvements of ticket 27169. Closes tickets 27167 and 27103. Addresses ticket 27308.

When reporting bootstrap progress, treat connecting to a proxy or pluggable transport as separate from having successfully used that proxy or pluggable transport to connect to a relay. Closes tickets 27100 and 28884.

Tor 0.3.5.7 is the first stable release in its series; it includes compilation and portability fixes, and a fix for a severe problem affecting directory caches. Tor 0.3.4.10 and 0.3.3.11 are also released today; please see the official announcements for those releases if you are tracking older stable versions.

The Tor 0.3.5 series includes several new features and performance improvements, including client authorization for v3 onion services, cleanups to bootstrap reporting, support for improved bandwidth- measurement tools, experimental support for NSS in place of OpenSSL, and much more. It also begins a full reorganization of Tor's code layout, for improved modularity and maintainability in the future. Finally, there is the usual set of performance improvements and bugfixes that we try to do in every release series.

There are a couple of changes in the 0.3.5 that may affect compatibility. First, the default version for newly created onion services is now v3. Use the HiddenServiceVersion option if you want to override this. Second, some log messages related to bootstrapping have changed; if you use stem, you may need to update to the latest version so it will recognize them.

We have designated 0.3.5 as a "long-term support" (LTS) series: we will continue to patch major bugs in typical configurations of 0.3.5 until at least 1 Feb 2022. (We do not plan to provide long-term support for embedding, Rust support, NSS support, running a directory authority, or unsupported platforms. For these, you will need to stick with the latest stable release.)

Below are the changes since 0.3.5.6-rc. For a complete list of changes since 0.3.4.9, see the ReleaseNotes file.

Changes in version 0.3.5.7 - 2019-01-07

Major bugfixes (relay, directory):

Always reactivate linked connections in the main loop so long as any linked connection has been active. Previously, connections serving directory information wouldn't get reactivated after the first chunk of data was sent (usually 32KB), which would prevent clients from bootstrapping. Fixes bug 28912; bugfix on 0.3.4.1-alpha. Patch by "cypherpunks3".